Author Topic: Why is this site being blocked by Avast?  (Read 10227 times)

0 Members and 1 Guest are viewing this topic.

another532

  • Guest
Why is this site being blocked by Avast?
« on: August 16, 2013, 01:00:04 AM »
Hi, I would like to get some info on this.

Avast free is blocking microelectronicash dot com but doesn't provide any details about why.

Scanned the URL with a lot of tools and only Avast report it as malicious.

Thanks in advance.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5413
  • Spartan Warrior
Re: Why is this site being blocked by Avast?
« Reply #1 on: August 16, 2013, 01:20:21 AM »
Whoa! 

Caution:  visiting the site will give 13 consecutive network shield blocks  Do not attempt to visit.

Are you sure?  Because Googling gives a site out of country here and in Spanish? maybe? 

http://zulu.zscaler.com/submission/show/f5a6460ab0cb8547ea919d4b96342134-1376608308
http://urlquery.net/report.php?id=4580428
http://www.urlvoid.com/scan/microelectronicash.com/  Note that MyWOT is unrated for this site.
http://sitecheck.sucuri.net/results/www.microelectronicash.com

Wouldn't be the first time avast! has detected and blocked new emerging malware at a website, nor will it be the last.

Are you the site's owner?

See attached:
Windows 10 Home 64-bit 21H2 Avast Premier Security version 22.8.6030 (build 22.8.7500.734) UI version 1.0.723.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132
  • Not a avast user
Re: Why is this site being blocked by Avast?
« Reply #2 on: August 16, 2013, 01:39:32 AM »
if you click details on that popup.... do you then see the full url?


Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5413
  • Spartan Warrior
Re: Why is this site being blocked by Avast?
« Reply #3 on: August 16, 2013, 01:47:29 AM »
yea, ends in (site name) .../CSS/lightbox.css  That's the malicious agent being flagged.  What the other 12 were, do not know atm.

[EDIT:]  Oops, assumed show last popup would show same as attached above, but no...

New attached below:
« Last Edit: August 16, 2013, 01:52:14 AM by mchain »
Windows 10 Home 64-bit 21H2 Avast Premier Security version 22.8.6030 (build 22.8.7500.734) UI version 1.0.723.

another532

  • Guest
Re: Why is this site being blocked by Avast?
« Reply #4 on: August 16, 2013, 02:01:42 AM »
Hi, I don't get any related URL, I'm not the site owner either.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132
  • Not a avast user
Re: Why is this site being blocked by Avast?
« Reply #5 on: August 16, 2013, 02:05:12 AM »
if you think this is wrong.....

You can report a possible FP here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply


another532

  • Guest
Re: Why is this site being blocked by Avast?
« Reply #6 on: August 16, 2013, 02:37:40 AM »
That's the point, how can I know if it's for real or a false positive when there is no information at all?
I was expecting someone from avast to explain it.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5413
  • Spartan Warrior
Re: Why is this site being blocked by Avast?
« Reply #7 on: August 16, 2013, 02:40:53 AM »
Contacted another forum member here who is very good at investigating such anomalies as this.
Windows 10 Home 64-bit 21H2 Avast Premier Security version 22.8.6030 (build 22.8.7500.734) UI version 1.0.723.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5413
  • Spartan Warrior
Re: Why is this site being blocked by Avast?
« Reply #8 on: August 16, 2013, 02:57:45 AM »
A little more info from avast! user account: 

Attached below:
Windows 10 Home 64-bit 21H2 Avast Premier Security version 22.8.6030 (build 22.8.7500.734) UI version 1.0.723.

another532

  • Guest
Re: Why is this site being blocked by Avast?
« Reply #9 on: August 16, 2013, 04:49:49 AM »
Can images even contain malware?

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Why is this site being blocked by Avast?
« Reply #10 on: August 16, 2013, 05:47:48 AM »
Can images even contain malware?

Yes.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

kubecj

  • Guest
Re: Why is this site being blocked by Avast?
« Reply #11 on: August 16, 2013, 09:23:53 AM »
The whole server got blocked because Darkleech infection was detected. Please contact your host and ask them for resolving this situation - there must be some vulnerability (usually CPanel or Plesk) which lets bad guys upload malicious httpd server or httpd server module.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5413
  • Spartan Warrior
Re: Why is this site being blocked by Avast?
« Reply #12 on: August 16, 2013, 09:56:11 AM »
Well, here is more info thanks to kubecj above:  http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922

Walked right into it, too!  *sigh*   Failure to install security updates in place when they come out, is what it is.  You can look to sys admins for that timely lapse.
Windows 10 Home 64-bit 21H2 Avast Premier Security version 22.8.6030 (build 22.8.7500.734) UI version 1.0.723.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33491
  • malware fighter
Re: Why is this site being blocked by Avast?
« Reply #13 on: August 16, 2013, 10:14:08 AM »
Excessive header information:
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Fri, 16 Aug 2013 07:50:56 GMT
Pragma: no-cache
Location: /index.php?secc=contacto
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=12c718f0d171a39f0fa0c6deb26300d0; path=/
X-Powered-By: PHP/5.2.17
3 security warnings here: https://asafaweb.com/Scan?Url=www.microelectronicash.com
Previous compromise of domain on same IP via /.sys?getexe=v2webserver.exe or /.sys?getexe=v2prx.exe  or /.sys?getexe=ms.26.exe
reported here: http://www.malwaredomainlist.com/forums/index.php?topic=3190.2615
see: http://exploitsdownload.com/search/dork%20sql%20injection%202013/90

Flagged
Code: [Select]
  </div>
    <div class="coldos">
      <div class="modulo">
      <a href="index.php?keyword=PELTIER&secc=catalogo"> 
          <div id="imghome03">
          </div>
IP 1 appearance(s) in spam e-mail or spam post url

Code: [Select]
<embed width="340" height="50" src="images/banner-logos.swf" quality="high"
pluginspage="htxp://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">
</embed>
source of malcode ? catalog/view/javascript/DD_belatedPNG_0.0.8a-min.js

polonus
« Last Edit: August 16, 2013, 11:06:32 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

another532

  • Guest
Re: Why is this site being blocked by Avast?
« Reply #14 on: August 16, 2013, 09:10:35 PM »
Thank you.